Authentication methods and systems

ABSTRACT

Authentication methods, systems and computer readable storage medium are provided. In an embodiment, an authentication method includes obtaining from an authentication template a first template portion, including an encoding of features, and a second template portion, including an identification of a location in the first template portion that is not usable. The method further includes revising the first template portion by setting a value at the location to a selected value to form a revised first template portion. Also, the method includes creating an authentication codeword from the revised first template portion and from public recovery data. The method further includes performing an error correction process to generate a corrected authentication codeword from the authentication codeword and from the second template portion and decoding the corrected authentication codeword.

INTRODUCTION

Generally, security systems employ an identity-based authenticationscheme to verify the identity of a user before granting access to anaccess-controlled resource. One goal of such security systems is toaccurately determine identity so that an unauthorized party cannot gainaccess. Security systems can use one or more of several factors, aloneor in combination, to authenticate users. For example, identificationsystems can be based on something that the user knows, something theuser is, or something that the user has.

In certain applications, the security system may obtain information fromthe user in image form through a camera or other image capture device.The information may be in the form of biometric data. Biometricinformation is metric related data based on human features orcharacteristics, such as features or characteristics of fingerprints,faces, irises, retinas, hands and voices. Such biometric information canbe used to authenticate the identity of an individual. Theauthentication can be used for a variety of reasons, for example,granting access to a door, a phone, a computing system, a bank account,or the like. Biometric information is personal information that anindividual typically does not want others to obtain for many reasons,including for privacy concerns.

In certain conditions, an image may include portions that are notusable, i.e., cannot be properly encoded. For example, the image mayinclude blurry, blocked or occluded portions of the desired features.

Accordingly, it is desirable to provide biometric authentication methodsand systems that reliably and accurately process images of featuresdespite portions of the image being not usable. Furthermore, otherdesirable features and characteristics will become apparent from thesubsequent detailed description and the appended claims, taken inconjunction with the accompanying drawings and the introduction.

SUMMARY

Authentication methods, systems and computer readable storage medium areprovided, as well as methods, systems and computer readable storagemedium for privacy-enhanced biometric access. In an embodiment, anauthentication method includes obtaining from an authentication templatea first template portion, including an encoding of features, and asecond template portion, including an identification of locations in thefirst template portion that are not usable. The method further includesrevising the first template portion by setting a value at the locationto a selected value to form a revised first template portion. Also, themethod includes creating an authentication codeword from the revisedfirst template portion and from public recovery data. The method furtherincludes performing an error correction process to generate a correctedauthentication codeword from the authentication codeword and from thesecond template portion and decoding the corrected authenticationcodeword.

In the authentication method, decoding the corrected authenticationcodeword may generate an authentication input. Further, in theauthentication method, the public recovery data may be generated from anenrollment input that is converted by a hash function to an enrollmenthashed value. The authentication method may further include inputtingthe authentication input to the hash function to convert theauthentication input to an authentication hashed value. Also, theauthentication method may further include comparing the authenticationhashed value to the enrollment hashed value. In further embodiments, theauthentication method may include authenticating a user when theauthentication hashed value is identical to the enrollment hashed value.Also, in certain embodiments, the method may include communicatingand/or recording a record of each instance a user is authenticated.

In some embodiments, creating the authentication codeword from therevised first template portion and from public recovery data includesprocessing the revised authentication encoding and the recovery datawith a bitwise operator processing unit.

In certain embodiments, creating the authentication codeword from therevised first template portion and from public recovery data comprisesprocessing the revised authentication encoding and the recovery datawith an exclusive OR (XOR) processing unit.

Also, in some embodiments, revising the first template portion bysetting the value at the location to the selected value to form therevised first template portion includes setting the value at thelocation to zero.

In another embodiment, an authentication method includes obtaining anenrollment encoding of features from a user, wherein the enrollmentencoding includes a first set of occlusions at a first set of locations.The method includes setting a value at the first set of locations to aselected value to create a revised enrollment encoding, and processingthe revised enrollment encoding and an enrollment codeword to create ablinded enrollment encoding as recovery data. Further, the methodincludes obtaining an authentication encoding of features from the user,wherein the authentication encoding includes the first set of locationsand includes a second set of occlusions at a second set of locations.The authentication method also includes setting the value at the firstset of locations of the authentication template to the selected value tocreate a revised authentication encoding. Further, the authenticationmethod includes processing the revised authentication encoding and therecovery data to create an authentication codeword, and comparing theauthentication codeword and the enrollment codeword to authenticate theuser.

In certain embodiments, the method creates the enrollment codeword byencoding an enrollment input, such as a random value. The method mayfurther include entering the enrollment input (random value) in a hashfunction and converting the enrollment input (random value) to anenrollment hashed value.

Also, in the method, comparing the authentication codeword and theenrollment codeword to authenticate the user may include: decoding theauthentication codeword to generate an authentication input; enteringthe authentication input in the hash function and converting theauthentication input to an authentication hashed value; andauthenticating the user when the authentication hashed value isidentical to the enrollment hashed value.

In some embodiments of the authentication method, processing the revisedenrollment encoding and the enrollment codeword to create the blindedenrollment encoding as recovery data includes processing the revisedenrollment encoding and the enrollment codeword with a first bitwiseoperator processing unit, such as a first exclusive OR (XOR) processingunit, and processing the revised authentication encoding and therecovery data to create the authentication codeword includes processingthe revised authentication encoding and the recovery data to create theauthentication codeword with a second bitwise operator processing unit,such as a second exclusive OR (XOR) processing unit.

In certain embodiments of the authentication method, setting the valueat the first location to the selected value to create the revisedenrollment encoding comprises setting the value at the first location tozero. Further, in certain embodiments of the authentication method,setting the value at the first location to the selected value create therevised authentication encoding further includes setting the value atthe second location of the authentication template to the selectedvalue.

In some embodiments, the authentication method further includescommunicating and/or recording a record of each authentication of theuser.

In another embodiment, a non-transitory computer readable storage mediumhaving program instructions embodied therewith is provided. The programinstructions are readable by a processor to cause the processor toperform a method for authenticating a user including: receiving anauthentication input associated with the user, wherein theauthentication input has a first template portion, including an encodingof features, and a second template portion, including an identificationof a location in the first template portion that is not usable; revisingthe first template portion by setting a value at the location to aselected value to form a revised first template portion; creating anauthentication codeword from the revised first template portion and frompublic recovery data; performing an error correction process to generatea corrected authentication codeword from the authentication codeword andfrom the second template portion; and decoding the correctedauthentication codeword.

In an embodiment, a method for providing privacy-enhanced biometricaccess includes receiving, by a central processor, a biometric tokenrequest associated with a request for access rights by a user. Thebiometric token request includes a hashed value of an enrollment input,and a blinded version of a first portion of an enrollee biometrictemplate. The method for providing privacy-enhanced biometric accessfurther includes generating, by the central processor, a signed tokenfrom the hashed value and the blinded version of the first portion ofthe enrollee biometric template.

The method may further include sending, by the central processor, thesigned token to an access control entity or to a user computing devicefor conveyance to the access control entity. In certain embodiments, theaccess control entity is a vehicle.

In an exemplary embodiment, the blinded version of the first portion ofthe enrollee biometric template is an exclusive OR (XOR) value of thefirst portion of the enrollee biometric template and an enrollmentcodeword derived from the enrollment input.

Further, the biometric token request may include a second portion of theenrollee biometric template specifying parts of the first portion of theenrollee biometric template that are occluded. In such embodiments,generating the signed token includes generating the signed token fromthe hashed value, the blinded version of the first portion of theenrollee biometric template, the second portion of the enrolleebiometric template, and metadata describing conditions for use afteraccess.

In some embodiments, the method for providing privacy-enhanced biometricaccess further includes selecting, by a user processor, the enrollmentinput; encoding, by the user processor, the enrollment input to generatethe enrollment codeword; and generating, by the user processor, theblinded version of the first portion of the enrollee biometric templatefrom the enrollment codeword and the first portion of the enrolleebiometric template. Further, in such embodiments, encoding theenrollment input to generate the enrollment codeword may includeapplying an error correction code to the enrollment input.

In certain embodiments, applying the error correction code to theenrollment input includes applying a first error correction code to theenrollment input and obtaining a first output, and applying a seconderror correction code to the first output to generate the enrollmentcodeword. In exemplary embodiments, applying the error correction codeto the enrollment input may include generating an error correction codeoutput, and permuting the error correction code output by interleaving.In certain embodiments, the error correction code is an erasure code.

An exemplary method further includes receiving, by the access controlentity, a first portion of an authentication biometric template and theblinded version of the first portion of the enrollee biometric template;generating, by the access control entity, an authentication codewordfrom the first portion of the authentication biometric template and theblinded version of the first portion of the enrollee biometric template;decoding, by the user processor, the authentication codeword to generatean authentication input; verifying, by the user processor, that theauthentication biometric template and the enrollee biometric templatematch by computing a cryptographic hash of the authentication input andverifying that the output of the hash function is the same as acorresponding hashed value in the signed token; and allowing, by theuser processor, the user access to the access control entity when theauthentication biometric template and the enrollee biometric templatematch. In such embodiments, verifying that the authentication biometrictemplate and the enrollee biometric template match may include utilizingocclusion information from the enrollment biometric template andocclusion information from the authentication biometric template todetermine error locations where occlusions occur in the authenticationbiometric template but do not occur in the enrollee biometric template.

In another embodiment, a system for privacy-enhanced biometric access isprovided. The system includes a user processor, wherein the userprocessor selects an enrollment input, generates a hashed value of theenrollment input, encodes the enrollment input to generate an enrollmentcodeword, receives enrollment biometric data from a user, and generatesa blinded version of a first portion of the enrollee biometric templatefrom the enrollment codeword and the enrollee biometric template. Thesystem further includes a central processor, wherein the centralprocessor receives from the user processor a biometric token requestassociated with a request for access rights by a user, wherein thebiometric token request comprises the hashed value of the enrollmentinput and the blinded version of the first portion of the enrolleebiometric template, and wherein the central processor generates a signedtoken from the hashed value and the blinded version of the first portionof the enrollee biometric template.

In certain embodiments, the system further includes an access controlentity, wherein the access control entity receives the signed token fromthe central processor. In certain embodiments, the user processor or theaccess control entity: receives authentication biometric data from auser and generates an authentication codeword from a first portion ofthe authentication biometric template and the blinded version of thefirst portion of the enrollee biometric template; decodes theauthentication codeword to generate an authentication input; verifiesthat the authentication biometric template and the enrollee biometrictemplate match; and allows, the user access to the access control entitywhen the user biometric template and the enrollee biometric templatematch.

In an exemplary system for privacy-enhanced biometric access, thebiometric token request further includes a second portion of theenrollee biometric template specifying parts of the first portion of theenrollee biometric template that are occluded, and the central processorgenerates the signed token from the hashed value, the blinded version ofthe first portion of the enrollee biometric template, the second portionof the enrollee biometric template, and metadata describing conditionsfor use after access.

Another exemplary system for privacy-enhanced biometric access furtherincludes an access control entity, wherein the access control entityreceives the signed token from the central processor, wherein theenrollment biometric data includes a second portion of the enrollmentbiometric data specifying parts of the first portion of the enrolleebiometric template that are occluded, and wherein the user processor orthe access control entity verifies that the authentication biometrictemplate and the enrollee biometric template match.

Another embodiment provides a non-transitory computer readable storagemedium having program instructions embodied therewith. The programinstructions are readable by a processor to cause the processor toperform a method for privacy-enhanced biometric access includingreceiving a biometric token request associated with a request for accessrights by a user, wherein the biometric token request comprises a hashedvalue of an enrollment input and a blinded version of a first portion ofan enrollee biometric template; and generating a signed token from thehashed value and the blinded version of the first portion of theenrollee biometric template.. The method may further include sending thesigned token to an access control entity or to a user computing devicefor conveyance to the access control entity.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the detaileddescription. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

BRIEF DESCRIPTION OF THE DRAWINGS

The present subject matter will hereinafter be described in conjunctionwith the following drawing figures, wherein like numerals denote likeelements, and wherein:

FIG. 1 is a computing environment in accordance with embodiments herein;

FIG. 2 is a block diagram illustrating an example of a processing systemfor practice of teachings herein;

FIG. 3 is a schematic of a system for biometric access according to oneor more embodiments; and

FIG. 4 is a schematic of an authentication method according to one ormore embodiments.

DETAILED DESCRIPTION

The following detailed description is merely illustrative in nature andis not intended to limit the embodiments of methods, systems andcomputer readable storage medium for privacy-enhanced biometric accessdescribed herein. As used herein, the word “exemplary” means “serving asan example, instance, or illustration.” Any implementation describedherein as exemplary is not necessarily to be construed as preferred oradvantageous over other implementations. Furthermore, there is nointention to be bound by any expressed or implied theory presented inthe preceding technical field, background, brief summary or thefollowing detailed description. It should be understood that throughoutthe drawings, corresponding reference numerals indicate like orcorresponding parts and features. As used herein, the term module refersto processing circuitry that may include an application specificintegrated circuit (ASIC), an electronic circuit, a processor (shared,dedicated, or group) and memory that executes one or more software orfirmware programs, a combinational logic circuit, and/or other suitablecomponents that provide the described functionality.

Embodiments herein may be described below with reference to schematic orflowchart illustrations of methods, systems, devices, or apparatus thatmay employ programming and computer program products. It will beunderstood that blocks, and combinations of blocks, of the schematic orflowchart illustrations, can be implemented by programming instructions,including computer program instructions. These computer programinstructions may be loaded onto a computer or other programmable dataprocessing apparatus (such as a controller, microcontroller, orprocessor) to produce a machine, such that the instructions whichexecute on the computer or other programmable data processing apparatuscreate instructions for implementing the functions specified in theflowchart block or blocks. These computer program instructions may alsobe stored in a computer-readable memory that can direct a computer orother programmable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instructions whichimplement the function specified in the flowchart block or blocks. Thecomputer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflowchart block or blocks. Programming instructions may also be storedin and/or implemented via electronic circuitry, including integratedcircuits (ICs) and Application Specific Integrated Circuits (ASICs) usedin conjunction with sensor devices, apparatuses, and systems.

Described herein is a biometric authentication scheme that does notrequire the enrollee to send his biometric information to the backoffice or central database/processor, which would otherwise represent aprivacy risk. Nor does the scheme require the enrollee to store a copyof his enrollment biometric or any biometric token on a local devicesuch as a phone, which would otherwise represent a security risk as thedevice can be compromised. In fact, embodiments of the biometricauthentication scheme do not require any secure storage capabilities onthe user's phone. Moreover, the enrollee does not need to communicateanything to the authenticating device other than providing biometricdata, such as by displaying his iris. Thus, embodiments of the biometricauthentication scheme prevent leaking of users' biometric information,which may otherwise lead to long-term and permanent cybersecurityproblems, such as identify theft, impersonation, etc.

Further, embodiments of the scheme described herein are capable ofovercoming issues presented by occlusions, such as those caused byeyelids covering portions of the iris or specular reflections, that areprevalent in iris-based authentication. Moreover, the angularorientations of the iris during enrollment and authentication phases areoften different. This adds challenges to authentication processes.Described herein are techniques to provide for authentication despitediffering angular orientations during enrollment and authentication.Thus, despite occlusions and despite the fact that any two measurementsof the same biometric will be different to some extent, embodiments ofthe scheme described herein are able to correctly accept measurementsfrom the same biometric and reject others, all while preserving theprivacy of the enrollment biometric.

Embodiments may utilize the authentication methods and systems and/orthe methods and systems for providing biometric access in a variety ofapplications. For example, such methods and systems may be utilized inautomobile sharing applications and/or in personal vehicles to providevehicle access and start. Such applications may utilize the methods andsystems described herein as the primary access mode, or as a backupmode. Also, the methods and systems described herein may be utilized toprovide temporary authorizations to use a vehicle, such as by a vehicleowner to family or friends. Further, the methods and systems may be usedin a peer-to-peer (P2P) car sharing arrangement. In other embodiments,the methods and systems described may be utilized for in-vehiclepayments—such as for tolls, parking or drive-through purchases. In-cardelivery can also be provided by allowing access for delivery accordingto methods and systems described herein. Also, valet access can beprovided utilizing the methods and systems described herein. Additionaloperating constraints such as geofencing and maximum speed can also bespecified in valet access mode.

In accordance with an exemplary embodiment, FIG. 1 illustrates acomputing environment 50. As shown, computing environment 50 comprisesone or more computing devices, for example, personal digital assistant(PDA) or cellular telephone (mobile device) 54A, server 54B, computer54C, and/or automobile onboard computer system 54N, which are connectedvia network 150. The one or more computing devices may communicate withone another using network 150.

Network 150 can be, for example, a local area network (LAN), a wide areanetwork (WAN), such as the Internet, a dedicated short rangecommunications network, or any combination thereof, and may includewired, wireless, fiber optic, or any other connection. Network 150 canbe any combination of connections and protocols that will supportcommunication between mobile device 54A, server 54B, computer 54C,and/or automobile onboard computer system 54N, respectively.

In accordance with an exemplary embodiment, FIG. 2 illustrates aprocessing system 200 for implementing the teachings herein. Theprocessing system 200 can form at least a portion of the one or morecomputing devices, such as mobile device 54A, server 54B, computer 54C,and/or automobile onboard computer system 54N. The processing system 200may include one or more central processing units (processors) 201 a, 201b, 201 c, etc. (collectively or generically referred to as processor(s)201). Processors 201 are coupled to system memory 214 and various othercomponents via a system bus 213. Read only memory (ROM) 202 is coupledto the system bus 213 and may include a basic input/output system(BIOS), which controls certain basic functions of the processing system200.

FIG. 2 further depicts an input/output (I/O) adapter 207 and a networkadapter 206 coupled to the system bus 213. I/O adapter 207 may be asmall computer system interface (SCSI) adapter that communicates with ahard disk 203 and/or other storage drive 205 or any other similarcomponent. I/O adapter 207, hard disk 203, and other storage device 205are collectively referred to herein as mass storage 204.

Operating system 220 for execution on the processing system 200 may bestored in mass storage 204. A network adapter 206 interconnects bus 213with an outside network 216 enabling data processing system 200 tocommunicate with other such systems. A screen (e.g., a display monitor)215 can be connected to system bus 213 by display adaptor 212, which mayinclude a graphics adapter to improve the performance of graphicsintensive applications and a video controller. In one embodiment,adapters 207, 206, and 212 may be connected to one or more I/O bussesthat are connected to system bus 213 via an intermediate bus bridge (notshown). Suitable I/O buses for connecting peripheral devices such ashard disk controllers, network adapters, and graphics adapters typicallyinclude common protocols, such as the Peripheral Component Interconnect(PCI). Additional input/output devices are shown as connected to systembus 213 via user interface adapter 208 and display adapter 212. Akeyboard 209, mouse 210, and speaker 211 can all be interconnected tobus 213 via user interface adapter 208, which may include, for example,a Super I/O chip integrating multiple device adapters into a singleintegrated circuit.

The processing system 200 may additionally include a graphics processingunit 230. Graphics processing unit 230 is a specialized electroniccircuit designed to manipulate and alter memory to accelerate thecreation of images in a frame buffer intended for output to a display.In general, graphics-processing unit 230 is very efficient atmanipulating computer graphics and image processing and has a highlyparallel structure that makes it more effective than general-purposeCPUs for algorithms where processing of large blocks of data is done inparallel.

Thus, as configured in FIG. 2, the processing system 200 includesprocessing capability in the form of processors 201, storage capabilityincluding system memory 214 and mass storage 204, input means such askeyboard 209 and mouse 210, and output capability including speaker 211and display 215. In one embodiment, a portion of system memory 214 andmass storage 204 collectively store an operating system to coordinatethe functions of the various components shown in FIG. 2.

The one or more computing devices may further include a transmitter andreceiver (not shown), to transmit and receive information. The signalssent and received may include data, communication, and/or otherpropagated signals. Further, it should be noted that the functions oftransmitter and receiver could be combined into a signal transceiver.

FIG. 3 illustrates an embodiment of a system 300 for privacy-enhancedbiometric access, such as for access to a vehicle. As shown, the system300 includes a first biometric data receiving device 310 and a secondbiometric data receiving device 350. Each biometric data receivingdevice 310 and 350 is suitable for receiving biometric data from a user.An exemplary biometric data receiving device may be a camera,fingerprint reader, iris or retina scanner, or the like. In certainembodiments, a single or same biometric data receiving device may serveas the first biometric data receiving device 310 and second biometricdata receiving device 350.

As further shown, the system 300 may include a local user processor 320provided for communication with the biometric data receiving device 310to receive biometric data therefrom. Further, the system 300 may includean access control entity 360. Also, the system 300 includes a backoffice or central processor 380 provided for communication with thelocal user processor 320.

The exemplary local user processor 320 includes a number generatingprocessing unit 324, a hash function processing unit 334, an encoderprocessing unit 338, a bitwise operator processing unit 344, and anocclusion processing unit 420. The exemplary access control entity 360includes an occlusion processing unit 460, a bitwise operator processingunit 364, an erasure handling processor unit 368, a decoder processingunit 374, and an authentication processing unit 384, the use of whichare described below.

During an enrollment process, a user provides biometric information tothe biometric data receiving device 310. For example, the user may allowhis iris to be scanned. As a result, an enrollee biometric template 311,such as an enrollee iris template, is received by the biometric datareceiving device 310 and is communicated from the biometric datareceiving device 310 to the local user processor 320. As shown, theenrollment biometric template 311 includes “W_(Bio)”, a first enrollmentportion 321, and “Mask_(Bio)”, a second enrollment portion 322. Thefirst enrollment portion 321 is an encoding of features of the measuredobject, such as of features of the iris. The second enrollment portion322 specifies the areas of the first enrollment portion 321 that are notusable, such as due to occlusions and/or light reflection.

For security reasons, the number of occlusions in the enrollmentbiometric template 311 “W_(Bio)” cannot be above a certain threshold.The local user processor 320 rejects the enrollment template if thiscondition is not met. This condition is meant to prevent someone fromenrolling a completely occluded/hidden iris into the system, and thenusing the issued biometric token to let any iris pass theauthentication.

Proceeding with the enrollment process, the first enrollment portion 321and the second enrollment portion 322 are communicated to the occlusionprocessing unit 368. Utilizing the second enrollment portion 322, theocclusion processing unit 420 forces the occluded locations of the firstenrollment portion 321 to a specific selected value. For example, theocclusion processing unit 420 sets the value at each occluded locationto a selected value to create a revised enrollment encoding 323. Incertain embodiments, the selected value is zero.

Thereafter, the revised enrollment portion 323, with occluded locationsset to the selected value, is communicated to the bitwise operatorprocessing unit 344. In an exemplary embodiment, the bitwise operatorprocessing unit 344 is an exclusive OR (XOR) processing unit.

Parallel to the acquisition of the enrollment biometric template 311,the local user processor 320 generates another signal to be provided tothe bitwise operator processing unit 344. As shown, the numbergenerating processing unit 324 generates an enrollment input 325. In anexemplary embodiment, the enrollment input 325 is a random string ofbits. An exemplary enrollment input 325 is a random string with a lengthof 128 bits, though shorter or longer lengths may be used.

The enrollment input 325 is communicated to the hash function processingunit 334. The hash function processing unit 334 converts the enrollmentinput 325 to “H(m)”, a hashed value 335, i.e., a bit string of a fixedsize. As shown, the enrollment input 325 is also communicated to theencoder processing unit 338. The encoder processing unit 338 generates“c”, an enrollment codeword 339 that is derived from the enrollmentinput 325.

In an exemplary embodiment, the enrollment codeword “c” is randomcodeword because the enrollment input to the encoder is randomly chosen.In an exemplary embodiment, the encoder processing unit 338 utilizes anerror correcting code. Further, an exemplary encoder processing unit 338utilizes an error correcting code and an erasure code, such as aReed-Solomon code. In an additional exemplary embodiment, the errorcorrecting code is a concatenated code that applies two different errorcorrecting codes that specifically encode the output symbols of theouter error correcting code with a second distinct inner errorcorrecting code. For example, the outer code may be a Reed-Solomon codeand the inner code may be a Hamming code. In another exemplaryembodiment, an interleaver is used to permute the output of the errorcorrecting code so that errors that occur that tend to be localized arespread out over the entire enrollment codeword.

In another exemplary embodiment, the encoder processing unit 338utilizes a (n,k,d) error and erasure-correcting code. An (n,k,d)error-correction code is a code of length n, rank k, and minimaldistance d. In other words, the codewords in the code have length n; andthe minimum number of differences between any two codewords in the codeis d. In addition to correcting normal errors, the used code also hasthe capability to correct erasure errors. These are errors the locationsof which in the codeword are known. In an exemplary embodiment, theencoder processing unit 338 applies a concatenation of two errorcorrecting codes to the enrollment input. Again, an interleaver may beused to permute the output of the error correcting code so that errorsthat occur that tend to be localized are spread out over the entireenrollment codeword.

The enrollment codeword 339 is communicated to the bitwise operatorprocessing unit 344. In the exemplary embodiment, the bitwise operatorprocessing unit 344 receives, as inputs, the revised enrollment portion323 and the enrollment codeword 339 and outputs “rec” as a blindedversion of enrollee biometric template first portion 345, whereinrec=W_(Bio)⊕_(c). The blinded version of enrollee biometric templatefirst portion 345 may be utilized as public recovery data.

Thus, in an enrollment period, hashed value 335 (H(m)), blinded versionof enrollee biometric template first portion 345 (rec), and enrollmentbiometric template second enrollment portion 322 (Mask_(Bio)) arecollectively communicated from the local user processor 320 to thecentral processor 380, as a biometric token request 348 associated witha request for access rights by a user. In an exemplary embodiment, thebiometric token request 348 is conveyed from the local user processor320 to the central processor 380 by a cellular network data connection,by the internet, or by a local wireless connection such as Bluetooth LowEnergy. The central processor 380 serves as a signing certificationauthority and generates a signed token 381 from the hashed value 335(H(m)), blinded version of enrollee biometric template first portion 345(rec), and enrollment biometric template second enrollment portion 322(Mask_(Bio)). In an exemplary embodiment, the signed token 381 is in theformat of:

σCA=(W _(Bio))=Sig_(CA)(H(H(m)),rec,Mask_(Bio),Metadata).

Thus, the system 300 provides for receiving, by the central processor380, the biometric token request 348 associated with a request foraccess rights by a user, wherein the biometric token request comprises ahashed value 335 of an enrollment input and a blinded version 345 of afirst portion of an enrollee biometric template, generating, by thecentral processor 380, the signed token 381 from the hashed value 335and the blinded version 345 of the first portion of the enrolleebiometric template. Further, the central processor 380 may generate thesigned token 381 from the second portion of the enrollee biometrictemplate specifying parts of the first portion of the enrollee biometrictemplate that are occluded, and from metadata describing conditions foruse after access.

The system 300 further provides for authenticating the user or “prover”at a time after enrollment. During an authentication process, the userprovides biometric information to the second biometric data receivingdevice 350 as described above. As a result, an authentication biometrictemplate 351, such as an enrollee iris template, is received by thesecond biometric data receiving device 350 and is communicated from thesecond biometric data receiving device 350 to the access control entity360. An exemplary access control entity 360 is a vehicle. In certainembodiments, the access control entity 360 is a user computing devicesuch as a phone or personal computer. Alternatively, the access controlentity 360 may be a common with, or a part of, local user processor 320.As shown, the authentication biometric template 351 includes “W′_(Bio)”,a first authentication portion 361, and “Mask′_(Bio)”, a secondauthentication portion 362. The first authentication portion 361 is anencoding of features of the measured object, such as of features of theiris. The second authentication portion 362 specifies the areas of thefirst authentication portion 361 that are not usable, such as due toocclusions and/or light reflection.

As shown, the first authentication portion 361 and the secondauthentication portion 362 are communicated to the occlusion processingunit 460. Utilizing the second authentication portion 362, the occlusionprocessing unit 460 forces the occluded locations of the firstauthentication portion 361 to the specific selected value. For example,the occlusion processing unit 460 sets the value at each occludedlocation to the selected value to create a revised authenticationencoding 363. In certain embodiments, the selected value is zero.

Thereafter, the revised authentication encoding 363, with the occludedlocations set to the selected value, is communicated to the bitwiseoperator processing unit 364. In an exemplary embodiment, the bitwiseoperator processing unit 364 is an exclusive OR (XOR) processing unit.Bitwise operator processing unit 364 also receives the blinded versionof enrollee biometric template first portion 345. In an exemplaryembodiment, the blinded version of enrollee biometric template firstportion 345 is conveyed from the central processor 380 to the bitwiseoperator processing unit 364 by a cellular network data connection, bythe internet, or by a local wireless connection. It is noted that whileFIG. 3 illustrates the blinded version of enrollee biometric templatefirst portion 345 being communicated from the central processor 380, theblinded version of enrollee biometric template first portion 345 mayreside in the local user processor 320 and/or be communicated from localuser processor 320 to bitwise operator processing unit 364, such as by acellular network data connection, by the internet, or by a localwireless connection.

Bitwise operator processing unit 364 receives, as inputs, revisedauthentication encoding 363 and the blinded version of enrolleebiometric template first portion 345, and outputs (C′), anauthentication codeword 365.

In the illustrated embodiment, the authentication codeword 365 may becommunicated to the erasure handling processor unit 368. As shown, theerasure handling processor unit 368 also receives “Mask′_(Bio)”, theauthentication biometric template second authentication portion 362, and“Mask_(Bio)”, the enrollment biometric template second enrollmentportion 322. It is noted that while FIG. 3 illustrates the enrollmentbiometric template second enrollment portion 322 being communicated fromthe central processor 380, such as by a cellular network dataconnection, by the internet, or by a local wireless connection, theenrollment biometric template second enrollment portion 322 may residein the local user processor 320 and/or be communicated from local userprocessor 320 to the erasure handling processor unit 368, such as by acellular network data connection, by the internet, or by a localwireless connection.

The erasure handling processor unit 368 evaluates the locations 451(shown in FIG. 4) of occlusions specified in “Mask′_(Bio)”, theauthentication biometric template second authentication portion 362, andthe locations 411 (shown in FIG. 4) of occlusions specified in“Mask_(Bio)”, the enrollment biometric template second enrollmentportion 322, to determine what locations are occluded in theauthentication biometric template as indicated in Mask′_(Bio), but arenot occluded in the enrollment biometric template as indicated inMask_(Bio). These locations that are occluded in the authenticationbiometric template but not in the enrollment biometric template areconsidered to be erasure errors, and are identified in erasure errorinformation 370. This information 370, along with the authenticationcode 365, is communicated to decoder processing unit 374 as signal 371.The decoder processing unit 374 decodes the authentication code 365using a reverse operation as compared to the encoder processing unit338, optionally making use of the occlusion information 370 generated byerasure handling processing unit 368 to identify the location of erasureerrors, and generates m′, an authentication input 375.

The authentication input 375 is communicated to a verification processorunit 384. The verification processor unit 384 also receives the signedtoken 381 and verifies that the user biometric template 351 and theenrollee biometric template 311 match by using m′, the authenticationinput 375, as the input to a hash function identical to the functionutilized by hash function processing unit 334, and comparing the outputof the hash function with the hashed value 335 in the biometric token.If the hash function output is identical to the hashed value 335 and thesignature on the signed biometric token 348 is valid, then the userbiometric template 351 and the enrollee biometric template 311 areconsidered to match; otherwise the templates are considered not tomatch.

When the user biometric template 311 and the enrollee biometric template351 match, the verification processor unit 384 may issue anauthorization notice 385 to allow the user access to the access controlentity. If the user biometric template 311 and the enrollee biometrictemplate 351 do not match, then a non-authorization notice 389 may beissued by the verification processor unit 384. As shown, the accesscontrol entity 360 may save a record 390 of each instance a user isauthenticated and/or communicate a record 390 to the central processor380.

FIG. 4 illustrates an authentication method for handling occluded data.In FIG. 4, enrollment data 311 is received and includes portions orlocations 411 that are not usable, e.g., that include occlusions 412.Enrollment data 311 may be considered to be an enrollment templateincluding a first portion of an encoding of features of the measuredobject and a second enrollment portion specifying locations 411 that arenot usable.

As shown, the enrollment data 311 is revised by setting values at thelocations 411 to a selected value 423 to form a revised enrollmenttemplate portion 323. In an exemplary embodiment, the selected value 423is zero.

The revised enrollment encoding 323 is processed with an enrollmentcodeword 339 to create a blinded enrollment encoding as recovery data345. For example, the revised enrollment encoding 323 and enrollmentcodeword 339 may be exclusive OR'ed (XOR'ed) to generate the recoverydata 345.

As further shown, authentication data 351 that includes portions orlocations 451 that are not usable, e.g., that include occlusions 452. Asshown, authentication data 351 need not include occlusions at locations411. In other embodiments, authentication data 351 may includeocclusions at locations 411. Authentication data 351 may be consideredto be an authentication template including a first portion of anencoding of features of the measured object and a second enrollmentportion specifying locations 451 that are not usable.

As shown, the authentication data 351 is revised by setting values atthe locations 451 to a selected value 463 to form a revisedauthentication template portion 363. In an exemplary embodiment, theselected value 463 is zero. As shown, the locations 411 may also be setto the selected value 423, corresponding to the revised enrollmentencoding 323.

The revised authentication encoding 363 is processed with the recoverydata 345 to create an authentication codeword 365. For example, therevised authentication encoding 363 and the recovery data 345 may beexclusive OR'ed (XOR'ed) to generate the authentication codeword 365.

Thereafter, the authentication codeword 365 may be processed, such as byan erasure handling unit. It is noted that, in FIG. 4, theauthentication data 351 includes occlusions 452 at locations 451 but notat locations 411, where the enrollment data 311 includes occlusions 412.In other words, locations 451 do not overlap with or include any oflocations 411 (as noted above, this need not be the case). The erasurehandling unit will consider any locations 451 that do not overlap withlocations 411 to be erasure errors included in erasure information 370,as noted above in relation to FIG. 3, and include the erasureinformation 370 and the authentication codeword 365 in a signal 371.

As described in relation to FIG. 3, the authentication codeword 365 andthe erasure error information 370 are communicated to the decoder 374 assignal 371. The decoder 374 uses, among other inputs, the location oferasure errors to process the authentication codeword 365 to compute acorrected authentication codeword 375. The corrected authenticationcodeword 375 may be further processed according to FIG. 3 toauthenticate a user.

It is noted that for any enrollment or authentication biometrictemplates, an unpredictable set of regions or locations can be occluded.In a particular template there may be no occlusions at all, or severalnon-adjacent regions of various sizes each of which can be occluded. Theprocess described herein handles such varying conditions in a samemanner. For both enrollment and authentication, the captured images arefirst converted to a template (a standardized representation of thegeometry of the image that is scaled such that it is size independent).The set of locations in the template that are occluded is determined andthen processed appropriately.

Because the enrollment biometric and the authentication biometrictemplate are independent, there can be locations that are occluded inneither template, locations that are only occluded in the enrollmenttemplate, locations that are only occluded in the authenticationtemplate, and locations that are occluded in both templates. Each ofthese cases is treated separately by the method described herein.

When an authentication image of the iris is taken and converted into atemplate, the location of occlusions are independently determined. Alllocations that are occluded in the authentication template are set to aspecified value (such as zero). Locations of the authentication templatethat are occluded in corresponding locations in the enrollment templateare also set to the same specified value. Thus, if there is no occlusionat a specific location in either template the original value remainsunchanged. If there is an occlusion at a location only in the enrollmenttemplate, then the authentication template is set to the specified valueat that location and no further action is taken. If there are occlusionsat a same location in both the enrollment template and theauthentication template, then the authentication template is set to thespecified value and no further action is taken. If there is an occlusionat a location in the authentication template but not in thecorresponding location in the enrollment template, then theauthentication template is set to the specified value and, in addition,the erasure code is notified that an error definitely occurs at thisposition.

As described herein, methods, systems and computer readable storagemedium for authentication and privacy-enhanced biometric access areprovided. In the methods and systems described, biometric authenticationis provided without requiring the enrollee to send his biometricinformation to a central processor, or to store a copy of his enrollmentbiometric or any biometric token on a local device such as a phone.Further, in the methods and systems described, the enrollee does notneed to communicate anything to the authenticating device other thanproviding biometric data, such as by displaying his iris. Further,embodiments of the scheme described herein are capable of overcomingissues presented by occlusions, such as those caused by eyelids coveringportions of the iris or specular reflections, that are prevalent iniris-based authentication.

In applications of the methods and systems described herein, a user mayprovide authentication data to a vehicle and the vehicle may relayinformation authentication data to a central processor where anauthorization decision, i.e., the decision whether to grant access anduse to the user, may be performed. The central processor may communicatean authorization token to the vehicle and may log information related tothe authentication data and grant of access

In another application, a user may obtain access to enter and use avehicle as described above while a vehicle owner retains the ability torevoke access. For example, the vehicle owner may have the ability tocommunicate to the central processor to revoke access. Such anapplication may be used during peer-to-peer car sharing or for valetaccess.

For a delivery application, a delivery employee may provide biometricdata to enroll. In response, the central processor, e.g., a back officeservice, may send an authorization token to the vehicle such that thedelivery employee is granted access to enter, but not start, thevehicle. Such access may be limited to the trunk of the vehicle.Further, the back office server may issue the authorization token whenapproved by the owner of the vehicle.

While at least one exemplary aspect has been presented in the foregoingdetailed description, it should be appreciated that a vast number ofvariations exist. It should also be appreciated that the exemplaryaspect or exemplary aspects are only examples, and are not intended tolimit the scope, applicability, or configuration of the claimed subjectmatter in any way. Rather, the foregoing detailed description willprovide those skilled in the art with a convenient road map forimplementing an exemplary aspect of the subject matter. It beingunderstood that various changes may be made in the function andarrangement of elements described in an exemplary aspect withoutdeparting from the scope of the subject matter as set forth in theappended claims.

What is claimed is:
 1. An authentication method comprising: obtaining from an authentication template a first template portion, including an encoding of features, and a second template portion, including an identification of a location in the first template portion that is not usable; revising the first template portion by setting a value at the location to a selected value to form a revised first template portion; creating an authentication codeword from the revised first template portion and from public recovery data; performing an error correction process to generate a corrected authentication codeword from the authentication codeword and from the second template portion; and decoding the corrected authentication codeword.
 2. The authentication method of claim 1 wherein decoding the corrected authentication codeword generates an authentication input.
 3. The authentication method of claim 2 wherein the public recovery data is generated from an enrollment input, wherein the enrollment input is converted by a hash function to an enrollment hashed value, and wherein the method further comprises inputting the authentication input to the hash function to convert the authentication input to an authentication hashed value.
 4. The authentication method of claim 3 further comprising comparing the authentication hashed value to the enrollment hashed value.
 5. The authentication method of claim 4 further comprising authenticating a user when the authentication hashed value is identical to the enrollment hashed value.
 6. The authentication method of claim 5 further comprising communicating and/or recording a record of each instance a user is authenticated.
 7. The authentication method of claim 1 wherein creating the authentication codeword from the revised first template portion and from public recovery data comprises processing the revised authentication encoding and the recovery data with a bitwise operator processing unit.
 8. The authentication method of claim 1 wherein creating the authentication codeword from the revised first template portion and from public recovery data comprises processing the revised authentication encoding and the recovery data with an exclusive OR (XOR) processing unit.
 9. The authentication method of claim 1 wherein the location in the first template portion is occluded.
 10. The authentication method of claim 1 wherein revising the first template portion by setting the value at the location to the selected value to form the revised first template portion comprises setting the value at the location to zero.
 11. An authentication method comprising: obtaining an enrollment encoding of features from a user, wherein the enrollment encoding includes a first set of occlusions at a first set of locations; setting a value at the first set of locations to a selected value to create a revised enrollment encoding; processing the revised enrollment encoding and an enrollment codeword to create a blinded enrollment encoding as recovery data; obtaining an authentication encoding of features from the user, wherein the authentication encoding includes the first set of locations and includes a second set of occlusions at a second set of locations; setting the value at the first set of locations and the value at the second set of locations of the authentication template to the selected value to create a revised authentication encoding; processing the revised authentication encoding and the recovery data to create an authentication codeword; and comparing the authentication codeword and the enrollment codeword to authenticate the user.
 12. The authentication method of claim 11 further comprising creating the enrollment codeword by encoding an enrollment input.
 13. The authentication method of claim 12 further comprising entering the enrollment input in a hash function and converting the enrollment input to an enrollment hashed value.
 14. The authentication method of claim 13 wherein comparing the authentication codeword and the enrollment codeword to authenticate the user comprises: decoding the authentication codeword to generate an authentication input; entering the authentication input in the hash function and converting the authentication input to an authentication hashed value; and authenticating the user when the authentication hashed value is identical to the enrollment hashed value.
 15. The authentication method of claim 11 wherein: processing the revised enrollment encoding and the enrollment codeword to create the blinded enrollment encoding as recovery data comprises processing the revised enrollment encoding and the enrollment codeword with a first bitwise operator processing unit; and processing the revised authentication encoding and the recovery data to create the authentication codeword comprises processing the revised authentication encoding and the recovery data to create the authentication codeword with a second bitwise operator processing unit.
 16. The authentication method of claim 11 wherein: processing the revised enrollment encoding and the enrollment codeword to create the blinded enrollment encoding as recovery data comprises processing the revised enrollment encoding and the enrollment codeword with a first exclusive OR (XOR) processing unit; and processing the revised authentication encoding and the recovery data to create the authentication codeword comprises processing the revised authentication encoding and the recovery data to create the authentication codeword with a second exclusive OR (XOR) processing unit.
 17. The authentication method of claim 11 wherein setting the value at the first set of locations and the value at the second set of locations of the authentication template to the selected value to create the revised authentication encoding comprises setting the value at the first set of locations and the value at the second set of locations to zero.
 18. The authentication method of claim 11 wherein at least one location is included in both the first set of locations and in the second set of locations.
 19. The authentication method of claim 11 further comprising communicating and/or recording a record of each authentication of the user.
 20. A non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions readable by a processor to cause the processor to perform a method for authenticating a user comprising: receiving an authentication input associated with the user, wherein the authentication input comprises a first template portion, including an encoding of features, and a second template portion, including an identification of a location in the first template portion that is not usable; revising the first template portion by setting a value at the location to a selected value to form a revised first template portion; creating an authentication codeword from the revised first template portion and from public recovery data; performing an error correction process to generate a corrected authentication codeword from the authentication codeword and from the second template portion; and decoding the corrected authentication codeword. 